GAO warns of security flaws in IoT, medical devices

While most of the U.S. healthcare system was left untouched by the WannaCry ransomware attack that rocked the U.K National Health Service, it highlighted the major vulnerabilities in outdated hospital systems: medical devices.

Medical devices pose some of the biggest risks, as most lack even the most basic security measures. And implantable medical devices don’t have any security at all.

“Without proper safeguards, these systems are vulnerable to individuals and groups with malicious intentions who can intrude and use their access to obtain and manipulate sensitive information, commit fraud, disrupt operations or launch attacks against other computer systems and networks,” the report authors wrote.

Hackers can use malware to compromise the device to steal patient data and use it as a platform to gain access to an entire network. The report also found cybercriminals can also monitor and record data -- without detection.

One expert explained how a hacker can pull data from multiple devices to create an entire makeup of a person. These devices collect intimate data of the user, which exacerbates the concern.

Further, although most of the healthcare industry and its patients view the tools as an easy way to communicate and track health, it poses new privacy issues.

There are still many gray areas on the ways in which a company can collect, maintain and share data for business purposes, the report found. While there are many proposed methods to combat this, these are just theories.

For example, the report examined de-identifying the data to protect the unique identity of the user. But experts are concerned that the existing methods may not prevent future identification. So for the time being, de-identifying data is not a realistic possibility.

“With the rapid global expansion of IoT, security and privacy measures become increasingly important to curtail its misuse,” the authors wrote. “As cyber threats grow increasingly sophisticated, the need to manage and bolster the cybersecurity of IoT products and services is also magnified.”

The assessment is based on Federal Trade Commission feedback and input from researchers and industry groups. A draft of the assessment was provided to 10 federal agencies for review, including the National Science Foundation, Office of Science and Technology and Home Security.